Microcontrollers are the heart of numerous connected systems. Although they store sensitive data, the security of the underlying hardware is scarcely considered during product development – leaving them vulnerable to hacker attacks.
Microcontrollers as gateways for hackers: Hardware security is still too little considered during development.
Simple measures are already sufficient to prevent cyberattacks. This is shown by the study on hardware attacks on microcontrollers by the Fraunhofer Institute for Applied and Integrated Security AISEC, commissioned by the Federal Office for Information Security (BSI).
Microcontrollers are indispensable for the Internet of Things (IoT). These small single-chip computer systems are used in nearly all smart devices – from industrial and consumer products to sensitive applications such as access control systems, e-Wallets, and critical infrastructures in aviation or medicine. Microcontrollers store sensitive data such as cryptographic keys, access data, and valuable intellectual property. However, due to cost reasons and a lack of awareness of the dangers, standard microcontrollers are often used in security-relevant IoT products, making them an attractive target for attackers who also exploit vulnerabilities in the hardware.
Protection measures for relevant attack techniques tested
The study "Hardware Attacks against Microcontrollers", conducted by Fraunhofer AISEC on behalf of the BSI, shows that hardware protection receives too little consideration in product development. Many smart devices, whose core are microcontrollers, have security vulnerabilities. However, even in IoT devices that are already in circulation, protection measures can easily be implemented via software to prevent most relevant hardware attacks or significantly increase the effort required by an attacker. To raise awareness of the dangers in development and manufacturing, the researchers at Fraunhofer AISEC have evaluated three types of hardware attacks on microcontrollers and proposed appropriate countermeasures:
Hardware attacks and countermeasures
1) Control-Flow Attacks (control flow manipulation): In this attack technique, the proper execution of a program is manipulated through voltage and clock glitching, electromagnetic, or laser-based error injection. Attacks of this kind can be prevented or at least made more cumbersome through compiler-based countermeasures based on existing error detection systems. Software tools of this kind are currently a subject of research in hardware security. Initial versions of the tools are already being used in the industry.
2) Side-Channel Attacks: Insights into the energy consumption and electromagnetic emission of the chip allow attackers unauthorized knowledge about keys in the microcontroller. To prevent these sensitive pieces of information from being spied on, so-called leakage-resilient cryptographic methods, or the masking of secret values, or shuffling of the processing sequence can act as protective measures. This obscures correlations between measured values and sensitive information.
3) Attacks on Read-Out Protection Techniques: Vulnerabilities in the debug interface can be exploited to access confidential data on the microcontroller. While bypassing the read-out protection mechanism cannot be entirely prevented through software-based methods alone, the impact of an attack can be significantly reduced depending on the product, for example by using code obfuscation techniques or by encrypting sensitive data stored in the flash memory area.
The three examined attack techniques endanger the integrity, confidentiality, and reliability of almost all microcontrollers identified in a market analysis and the information stored on them. The countermeasures proposed and practically demonstrated in the study can be software-based and often implemented retrospectively, without significantly impairing the performance or function of the controller.
Appeal to industry, research, and policy
However, these protective measures are not yet widely applied. The researchers therefore urge microcontroller manufacturers to include hardware attacks in their threat models and to disclose these models. This information would enable IoT product manufacturers, who integrate their microcontrollers, to select appropriate products for security-relevant applications.
They call on the research community to improve the tools for software-based countermeasures in terms of practicability and user-friendliness for embedded developers. They urge legislators and regulators to create economic incentives so that protective measures against hardware attacks become essential for certain applications. Ultimately, consumers can also have a significant impact on the progress in developing better-protected hardware through their purchasing behavior.
Date: 08.12.2025
Naturally, we always handle your personal data responsibly. Any personal data we receive from you is processed in accordance with applicable data protection legislation. For detailed information please see our privacy policy.
Consent to the use of data for promotional purposes
I hereby consent to Vogel Communications Group GmbH & Co. KG, Max-Planck-Str. 7-9, 97082 Würzburg including any affiliated companies according to §§ 15 et seq. AktG (hereafter: Vogel Communications Group) using my e-mail address to send editorial newsletters. A list of all affiliated companies can be found here
Newsletter content may include all products and services of any companies mentioned above, including for example specialist journals and books, events and fairs as well as event-related products and services, print and digital media offers and services such as additional (editorial) newsletters, raffles, lead campaigns, market research both online and offline, specialist webportals and e-learning offers. In case my personal telephone number has also been collected, it may be used for offers of aforementioned products, for services of the companies mentioned above, and market research purposes.
Additionally, my consent also includes the processing of my email address and telephone number for data matching for marketing purposes with select advertising partners such as LinkedIn, Google, and Meta. For this, Vogel Communications Group may transmit said data in hashed form to the advertising partners who then use said data to determine whether I am also a member of the mentioned advertising partner portals. Vogel Communications Group uses this feature for the purposes of re-targeting (up-selling, cross-selling, and customer loyalty), generating so-called look-alike audiences for acquisition of new customers, and as basis for exclusion for on-going advertising campaigns. Further information can be found in section “data matching for marketing purposes”.
In case I access protected data on Internet portals of Vogel Communications Group including any affiliated companies according to §§ 15 et seq. AktG, I need to provide further data in order to register for the access to such content. In return for this free access to editorial content, my data may be used in accordance with this consent for the purposes stated here. This does not apply to data matching for marketing purposes.
Right of revocation
I understand that I can revoke my consent at will. My revocation does not change the lawfulness of data processing that was conducted based on my consent leading up to my revocation. One option to declare my revocation is to use the contact form found at https://contact.vogel.de. In case I no longer wish to receive certain newsletters, I have subscribed to, I can also click on the unsubscribe link included at the end of a newsletter. Further information regarding my right of revocation and the implementation of it as well as the consequences of my revocation can be found in the data protection declaration, section editorial newsletter.
The research team of the "Hardware Security" department at Fraunhofer AISEC emphasizes: "Our study shows that hardware attacks on microcontrollers represent a real threat to security-relevant IoT systems. We want to encourage always considering the security of microcontrollers during their development and implementing effective countermeasures." (mk)
:quality(80)/p7i.vogel.de/wcms/88/53/8853f7df2fe47a3d2c6f1879f6ac38e6/newsimage417073-1500x843v1v1.jpeg "Measuring setup for friction stir welding: Modular acoustic measuring system with flexibly positioned microphones for recording tool wear and process deviations in real time. (Image:Fraunhofer IDMT)")
:quality(80)/p7i.vogel.de/wcms/28/75/28751a17e2bcca46e53a1e7b8a84c433/schmersal-tiepner-029-6749x3796v1v1.jpeg "Tiepner's compact system produces ID cards made of laminated plastic, which are used as customer cards, ID cards or cheque cards, among other things. Left in the picture: Christian Höltge, Managing Director of Tiepner GmbH. (Image:Tiepner GmbH)")
:quality(80)/p7i.vogel.de/wcms/68/44/6844f9ae752767034c525d8dcdffe13e/0129139999v1.jpeg "Won-jong Kim, CEO of DN Solutions, and Dr. Thorsten Schmidt, CEO of the Heller Group, agree: \"This strategic partnership strengthens the position of both companies in precision technology.\" (Image:Heller)")
:quality(80)/p7i.vogel.de/wcms/c1/5b/c15b198344a31c237d35f919235fa73e/blechnext-20maas-1161x653v1v1.png "Blechnext offers sheet metal processors the Machine-as-a-Service partner model with a Tru Laser Center 7030 from Trumpf. (Image:Blechnext)")
:quality(80)/p7i.vogel.de/wcms/ba/a0/baa0c49f17909b10766fb582d1f8b531/sandvik-olp-case-study-hero-1377x774v1v1.png "With Visual Components' offline programming software, Sandvik has more than halved robot programming time, improved welding quality and repeatability, and increased robot cell utilization. (Image:Visual Components)")
:quality(80)/p7i.vogel.de/wcms/29/1e/291eaf788c2befc4d71686cd260fef3b/0129214102v1.jpeg "RobCo's robots consist of flexibly combinable hardware modules and use AI software for learning. (Image:RobCo)")
:quality(80)/p7i.vogel.de/wcms/de/75/de750a367b39ed3167210c6941b067b6/0129059153v1.jpeg "Figure 1: Preparation for the Cyber Resilience Act. By December 2027, device manufacturers must have implemented a series of mandatory measures. (Image:Microchip)")
:quality(80)/p7i.vogel.de/wcms/e6/e0/e6e0dae794b9068953f24ace08b6b0ca/0113143253v1.jpeg "In our China Market Insider, we regularly provide you with relevant information directly from China. (Image:© Eisenhans - stock.adobe.com)")
:quality(80)/p7i.vogel.de/wcms/0e/52/0e52ee794e7d24f8ddcb3e230f192e08/wscad-electrix-ai-2026-fill-cabinet-04-zoom-en-1720x967v1v1.png "The use of artificial intelligence makes it possible to systematically automate enclosure planning for the first time. This brings a number of advantages. (Image:WSCAD)")
:quality(80)/p7i.vogel.de/wcms/08/7e/087e5cbeb0039395c8759c8fdb54e24c/0129120874v1.jpeg "Digital consistency: Using Fresenius as an example, the article shows how companies benefit from integrated development processes. (Image:Fresenius Medical Care)")
:quality(80)/p7i.vogel.de/wcms/3d/63/3d637efb6dfefc529f08738bab2dc968/adobestock-1271004590--c2-a9-20the-20pixel-20store-20-e2-80-93-20stock-adobe-com-ki-generiert-2787x1568v1v1.jpeg "We present three innovations from the PLM and ALM world. (Image:The Pixel Store stock.adobe.com AI-generated)"){kind=tracking}
:quality(80)/p7i.vogel.de/wcms/59/37/5937b916a3d8bcbe2984391be7c18d8e/0129152959v1.jpeg "Mathworks and dSpace deepen their partnership: Road models created with RoadRunner can now be used directly in ASM OpenX. (Image:dSpac)")
:quality(80)/p7i.vogel.de/wcms/22/dd/22dd3f89e27950caea78d18b4a41766c/0129157014v1.jpeg "Volkswagen's first self-developed zonal electronics architecture goes into series production in China (Image:Volkswagen)")
:quality(80)/p7i.vogel.de/wcms/f5/22/f52293d339d8c952563eb00876da7cab/0129137154v1.jpeg "Joby Aviation is preparing for the first wave of pilot training for eVTOLs with CAE flight simulators. (Image:Joby Aviation)")
:quality(80)/p7i.vogel.de/wcms/36/c6/36c67f2e5e8fcb78c5a5b8d07673eec6/0129154312v1.jpeg "Yuchai intends to use its flywheel system - on the right-hand side of the engine - primarily in commercial vehicles. (Image:Yuchai)")
:quality(80)/p7i.vogel.de/wcms/2e/62/2e62e5977481169dd2a0301ab847dc2b/0129163687v1.jpeg "Increasing the voltage reduces the cable cross-sections and therefore the copper requirement considerably. (Image:Fraunhofer ISE)")
:quality(80)/p7i.vogel.de/wcms/5d/73/5d73b37d605e3d5f44de11d22447cedd/0129209328v1.jpeg "Agent BigEarth is based on a novel combination of several AI modules that work together as specialized sub-agents. (Image:BIFOLD)")
:quality(80)/p7i.vogel.de/wcms/d8/f8/d8f8fc64e23a1ed726fc8ac7ab697747/0129101600v1.jpeg "A new imaging technology makes it possible to detect early signs of heart disease through the skin. This opens up new markets for portable imaging systems. (Image:freely licensed)")
:quality(80)/p7i.vogel.de/wcms/95/e7/95e77e1c2ad5ee51222a6e287609643e/0129119186v1.jpeg "Photo of Micron's \"Site 3\" in Singapore, where NAND flash memory is manufactured. The memory manufacturer plans to invest a further 24 billion US dollars in the construction of an additional fab in Southeast Asia. The new plant is scheduled to go into operation by 2028. (Image:Micron)")
:fill(fff,0)/p7i.vogel.de/companies/67/eb/67eba621ef6ea/logo2.png "logo2 (Wuxi InfiMotion)"){kind=logo}
:quality(80)/p7i.vogel.de/wcms/db/01/db0155d9e7ca9fd069bd9bd4161f4d1b/0127315728v1.jpeg "Hackers have become the mafia of the digital age. They block systems, steal sensitive data, and extort money. They no longer operate as individuals in backrooms but as professionally organized groups equipped with top-notch technology. Their targets include both international corporations and medium-sized and small businesses. (Image:Bystronic/Justin Wood)")
:quality(80)/p7i.vogel.de/wcms/3d/1b/3d1be05578d4ca9fb6d6e43196919e59/0124726090v1.jpeg "All Intel processors from 2018 onwards are affected by the Branch Privilege Injection vulnerability. The image shows an example of an Intel server system. (Image:ETH Zurich / Computer Security Group, University Communications)")